supership-scan
Predeploy security scanner for AI code. 80+ patterns. Runs locally. x402 attestation.
supership-scan
Predeploy security scanner for the agent economy. Built by Crest Deployment Systems.
Scans your code for 80+ vulnerability patterns across secrets, auth, injection, config, Supabase, and logging. Runs locally. Your code never leaves the machine.
Install
npm install -g supership-scan
Requires Node.js 18+.
Usage
CLI
supership-scan .
Scans the current directory and prints findings.
supership-scan ./my-project --attest
Scans and requests a witnessed attestation ($0.01 USDC on Base). Only the report envelope (hashes and findings) is transmitted. Never source code.
MCP Server
supership-mcp
Starts an MCP server for AI editors (Claude Code, Cursor, Windsurf). Exposes the scanner as tools that agents can call directly.
Example Output
supership v1.0.0
Scanning 42 files...
Score: 87/100
Grade: B
Findings:
HIGH AUTH-003 Missing auth middleware on /api/admin src/routes/admin.js:14
MEDIUM CFG-002 CORS wildcard in production src/server.js:8
LOW LOG-001 Error stack in response body src/middleware/error.js:22
Scan complete. Code never left this machine.
Rule Categories
| Category | Patterns | Examples |
|---|---|---|
| Secrets | 30+ | API keys, credentials, .env exposure, private keys |
| Auth | 12+ | Missing middleware, inverted logic, RLS gaps |
| Injection | 15+ | SQL interpolation, XSS, eval(), command injection |
| Config | 10+ | CORS wildcards, source maps, insecure cookies |
| Supabase | 8+ | RLS disabled, permissive policies, service_role misuse |
| Logging | 6+ | Sensitive data in logs, error stack exposure |
Scoring
Score starts at 100. Penalties: critical (-25), high (-10), medium (-5), low (-1).
Severity gates override the score:
- Any critical finding = grade F
- Any high finding = grade C max
| Grade | Score |
|---|---|
| A | 90+ |
| B | 75-89 |
| C | 60-74 |
| D | 40-59 |
| F | <40 or any critical |
Attestations
The scan is free. The attestation costs $0.01.
When you run --attest, supership sends a report envelope to the attestation server. The envelope contains hashes and findings only. The server signs it, anchors the hash to the chain, and returns a witnessed attestation.
The attestation proves a specific scan occurred at a specific time with specific results. It does not certify that code is secure.
What's transmitted: input hash, rule pack hash, engine version, findings, score, grade.
What's never transmitted: source code, file contents, environment variables.
Benchmark
npm test
Runs 20 deliberately vulnerable fixtures against the scanner. Expected: 90% true positive rate, 0 harmful false positives.
Privacy
- Scanning is entirely local. No network calls during a scan.
- Attestation transmits hashes and findings only. Never source code.
- No telemetry. No analytics. No tracking.
API
supership also runs as an x402-native API. Pay per scan with USDC on Base. No API keys, no subscriptions.
| Endpoint | Method | Price | Description |
|---|---|---|---|
/check | GET | Free | Trust check for any x402 service URL |
/scan/free | POST | Free | Score + grade, all 6 categories |
/scan/quick | POST | $1 | Secrets + config findings |
/scan/full | POST | $5 | All categories + fixes |
/scan/deep | POST | $15 | Full + LLM contextual review |
/attest | POST | $0.01 | Sign and witness a scan result |
API base: https://supership.crestsystems.ai
Discovery endpoints: agent.json | llms.txt | OpenAPI
Crest x402 Services
supership is part of the Crest Deployment Systems x402 service fleet. All services accept USDC payments on Base mainnet via the x402 protocol.
| Service | What it does | URL |
|---|---|---|
| supership | Predeploy security scanner + attestation | supership.crestsystems.ai |
| data | Crypto market data, token lookups, gas prices | data.crestsystems.ai |
| audit | Smart contract audit, code security, wallet risk | audit.crestsystems.ai |
Links
- supership API
- Documentation
- npm: supership-scan
- npm: @crestdeploymentsystems/supership-mcp
- Crest Deployment Systems -- deploying scalable intelligence
License
Apache 2.0. See LICENSE for details.
Rule engines (src/rules/) are Apache 2.0 with a relicense notice. See LICENSE for the full NOTICE.
Verwandte Server
Alpha Vantage MCP Server
SponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
WireMCP
Empowers LLMs with real-time network traffic analysis using tshark. Requires Wireshark's tshark to be installed.
Micronaut Fun
It exposes Micronaut framework documentation and guides as MCP resources, it offers tools to search the docs and prompts to help you write tests and perform tasks in an idiomatic way
Unison MCP Server
An MCP server for the Unison language, allowing AI assistants to interact with the Unison Codebase Manager (UCM).
Claude Google Apps Script MCP Guide
Integrate Claude AI with Google Apps Script to automate tasks in Google Sheets and Gmail.
Replicate Flux MCP
Generate high-quality images and vector graphics using the Replicate API.
GodotIQ
The intelligent MCP server for AI-assisted Godot 4 development. 35 tools for spatial intelligence, code understanding, flow tracing, and visual debugging. 22 free, full suite $19.
Arduino MCP Server
Control an Arduino board from your computer using AI commands.
MCPfinder
A Node.js server for AI agents to discover, install, and manage new capabilities on demand via the MCP protocol.
Mobile Xray MCP
Take screenshots and analyze mobile apps with AI assistance directly from your IDE.
Percepta MCP Server
An AI-driven platform for frontend semantic cognition and automation.